All it means is that if you contract malware from that site, it was actually coming from that site and not somewhere else, so at least you're sure of who to blame.
–
ShadurAug 29 '14 at 5:42

3

"I know that your computer can get infected by just visiting a website". This is only true if your browser has a vulnerability in it. If your browser is always up to date, it's not really a problem.
–
GudradainAug 29 '14 at 12:55

7

@Gudradain It's usually not a problem if your browser is up to date. There's still the possibility of zero-days. (Although obviously the odds of you running into one of those is pretty slim.)
–
Ajedi32Aug 29 '14 at 15:21

6

I also know that HTTPS websites are secure. Not quite. HTTPS connections are secure. That says nothing at all about the website on the other side of the connection.
–
Mason WheelerAug 30 '14 at 16:47

8

Could you, personally write a hostile web site? Sure. Could you personally get a certificate to host an HTTPS site? Sure. If you can do it, can other people do it too? Yes.
–
Eric LippertAug 30 '14 at 18:01

9 Answers
9

No, HTTPS does not necessarily mean that a site is not malicious. HTTPS means very little as to the security of a site. It's specifically geared to keep your communication with the site secure from eavesdroppers and tampering, but offers nothing as to the security of the site itself.

Yes, a site serving content over HTTPS has a certificate. That means that the individual who requested the certificate from the CA has an email address that is associated with the domain. Except in the case of Extended Validation certificates (the ones that offer a green address bar) this is literally all it means. Nobody from the CA is validating that the site is safe, secure, and not serving malware. Any site, with an SSL cert or without, can have bugs and vulnerabilities that allow an attacker to leverage them to serve an exploit. Or a admin or user who has the ability to either maliciously or unknowingly cause the site to serve malware. Even if the site itself does not, if it serves advertisements (or any other content, for that matter) from an ad network or another site, that could be vulnerable.

So, HTTPS means that nobody should be able to view or tamper with your traffic. That is all that it means.

Not at all a guarantee. HTTPS means that the web page has SSL, which simply means that your connection to the page is encrypted. The content on the page could be anything that could be posted on any web site whether encrypted by SSL or not.

What about the certificate? Don't the CAs need to verify the identity of the site owner .. etc?
–
UlkomaAug 29 '14 at 0:07

10

Not all certificates are bought from a CA. People can sign their own certificates. Also, not all people who pay money to a CA for a certificate are honest, people are people.
–
Jeff ClaytonAug 29 '14 at 0:12

8

@Ulkoma Also, note that many CAs do not verify the identity of the purchaser of a certificate, but merely that the person they are dealing with is in control of the domain (e.g. by sending email to an address at the domain). You may want to look at "extended validation" ssl certificates, where the certificate issuer has warranted that they have verified identity, but even in this case the system is not foolproof.
–
JulesAug 29 '14 at 2:07

Bringing up hacking, and while not directly an answer to this question, it is possible that your SSL connection could be hijacked which would fool you into a false sense of security. Check the various posts on this site about the SSLSTRIP Man in the Middle attack for more information about this type of issue: security.stackexchange.com/search?q=sslstrip
–
Jeff ClaytonAug 30 '14 at 3:23

Arguably it's more accurate to say mitigates the possibility of a MITM attack. Given access to the users' machine I could install my own CA root certificate, etc. Or the user could be stupid and click the "I understand the risks" button in Chrome, etc.
–
Wayne WernerAug 30 '14 at 15:47

It is called 'secure' because theoretically the security protocols (ssl/tsl and some others) do not allow the information being exchanged to be easily understood (it encrypts the data flow), so, even if someone would catch your packets, they would have to decrypt it to understand the message.

Now this is useful because some information such as passwords, social security number, credit card number and etc. can cause a lot of problems if they are discovered by someone intent on causing damage.

In this sense, https helps us by making difficult for a third party to know what information we exchanged with a website (and that's why most banks do utilize at least https on their services), but that doesn't stop a website or service to be infected with malicious software or an attacker to indirectly reach you by infecting a server.

Now, I inferred from your question that when you used the term 'secure' you meant it in different way (in the sense of safety against malicious content), in this sense, https does not protect you at all because it doesn't pay attention to content (what is being transmitted through the connection) itself.

Yes, it can easily be - malicious JavaScript or viruses can be transferred over HTTPS as easily as over HTTP no problem. It may be somewhat less likely as the source of the valid verified HTTPS message is known.

However still may happen if the HTTPS site has had security hole, has been attacked, compromised and malicious content has been installed on it. It will not be for long, soon the administrator know one or another way and remove the malware. However I would prefer to avoid trusting the content just because it was delivered over HTTPS.

Add to the list that the CA itself could have been hacked (e.g. DigiNotar) and used to issue fake certificates, or your browser might be forced to use fake CAs specifically so that your connection might be intercepted and tampered with - as is sometimes used on corporate networks.

Oh, also the certificate might have been faked because it was using MD5.
As has been already said, that lock icon in your browser means something else than you think it does :).

In addition to the other points raised, it's worth mentioning that even a trusted site (for example, your bank), could still be infected by a virus that makes it behave maliciously. So even if you trust the organization, https still does not guarantee that the website doesn't do malicious things.

A Pharming attack can be used to redirect your traffic to a malicious server. This server will connect to the legit one and will authenticate on it as if it is you. Then it will present to you the information or web page from the legit server. For you - it will appear as you are connected securely to the legit server but now there is a MITM that has access to the channel and he can read everything on it. This kind of attack is difficult to execute but it can render HTTPS useless...

So the site dose not have to be malicious, it can be your bank. But, using this approach, some one can get all of your account data, credentials, etc even though the site is HTTPS.

ONLY if you ignore the (increasingly obnoxious) warnings about mismatched certificate, or the attacker is able to get a fraudulent cert by deceiving the CA (should be impossible, especially for EV) or subverting it (has happened, but rarely).
–
dave_thompson_085Aug 30 '14 at 9:50

Also one thing to consider very carefully, is that certain antiviruses work by scanning the traffic. If the site is using HTTPS, a virus can in fact slip undetected past the radar.

This is especially important if you either have a antivirus service provided by your ISP, your employer, or your school, which is based on a "Proxy".
This is why some proxies actually pretend to be MITMs like BlueCoat Proxy, and then unpack the encrypted traffic, read it, and then send it along with a spoofed certificate (which all client computers behind this Proxy is configured to accept, either via a GPO or by a NAC device).

Thus, HTTPS is a double edged sword. It can be used by the good guys to hide good data (credit card numbers, passwords etc) from the bad guys (eg scammers, hackers).
But it can also be used by the bad guys to hide bad data (eg viruses, illegal files etc) from the good guys (virus scanners, law enforcement etc)

The usual antivirus configuration has the browser asking the local antivirus to scan downloaded files before the user is given access to them, this works fine with HTTPS. As for proxy virus scanners, yes they have to play MITM. Basing your (non)use of HTTPS on the possible existence of a poorly configured proxy virus scanner doesn't seem very smart. It wouldn't do anything that a local scanner can't do, and a normal user doesn't really have any choice regarding HTTPS anyway.
–
eBusinessAug 31 '14 at 14:28

What I meant is when you have the choice to use a HTTPS variant or a HTTP variant, where SSL is not mandatory. Its not a poor configuration to have a Proxy that Scans files for viruses. Its pretty smart for some ISPs, Corporations or schools to provide AV service for their users without them having to install anything (except for a root certificate if they cant push it via NAC/GPO). However, when theres no MITM, you should avoid using HTTPS when HTTP is available if the site is untrusted.
–
sebastian nielsenAug 31 '14 at 18:06